这篇文章主要介绍了SpringBoot如何配置shiro安全框架,具有一定借鉴价值,感兴趣的朋友可以参考下,希望大家阅读完这篇文章之后大有收获,下面让小编带着大家一起了解一下。
springboot一种全新的编程规范,其设计目的是用来简化新Spring应用的初始搭建以及开发过程,SpringBoot也是一个服务于框架的框架,服务范围是简化配置文件。
首先引入pom
<!--SpringBoot 2.1.0--> <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.1.0.RELEASE</version> </parent> <!--shiro--> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-core</artifactId> <version>${shiro.version}</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-web</artifactId> <version>${shiro.version}</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>${shiro.version}</version> </dependency> <!-- shiro-redis --> <dependency> <groupId>org.crazycake</groupId> <artifactId>shiro-redis</artifactId> <version>3.1.0</version> </dependency> <!-- shiro-freemarker-tag --> <dependency> <groupId>net.mingsoft</groupId> <artifactId>shiro-freemarker-tags</artifactId> <version>1.0.0</version> </dependency> <!-- freemarker --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-freemarker</artifactId> </dependency>
ShiroConfig.java
package com.jx.cert.web.framework.config.shiro; import java.util.LinkedHashMap; import java.util.Map; import javax.servlet.Filter; import org.apache.shiro.authc.credential.HashedCredentialsMatcher; import org.apache.shiro.cache.MemoryConstrainedCacheManager; import org.apache.shiro.mgt.SecurityManager; import org.apache.shiro.session.mgt.SessionManager; import org.apache.shiro.spring.LifecycleBeanPostProcessor; import org.apache.shiro.spring.web.ShiroFilterFactoryBean; import org.apache.shiro.web.mgt.DefaultWebSecurityManager; import org.crazycake.shiro.RedisCacheManager; import org.crazycake.shiro.RedisManager; import org.crazycake.shiro.RedisSessionDAO; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.DependsOn; import com.jx.cert.web.framework.config.shiro.filter.KickoutSessionControlFilter; import com.jx.cert.web.framework.config.shiro.filter.ShiroPermissionsFilter; import com.jx.cert.web.framework.config.shiro.filter.SystemLogoutFilter; import com.jx.common.utils.CacheConstants; /** * @ClassName: gyu * @Description: TODO(shrio配置) * @author gangyu * @date 2018年12月4日 下午2:28:07 */ @Configuration public class ShiroConfig { Logger log=LoggerFactory.getLogger(ShiroConfig.class); @Value("${spring.redis.host}") private String host; @Value("${spring.redis.prot}") private int port; @Value("${spring.redis.timeout}") private int timeout; @Value("${spring.redis.password}") private String password; @Value("${spring.redis.database}") private int database; //注意这里需要设置成 static 否则 @Value 注入不了数据 @Bean(name = "lifecycleBeanPostProcessor") public static LifecycleBeanPostProcessor lifecycleBeanPostProcessor() { return new LifecycleBeanPostProcessor(); } @Bean(name = "shiroFilter") public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager) { ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); log.debug("-----------------Shiro拦截器工厂类注入开始"); Map<String,Filter> filterMap=shiroFilterFactoryBean.getFilters(); //权限过滤器 filterMap.put("perms", new ShiroPermissionsFilter()); shiroFilterFactoryBean.setFilters(filterMap); // 配置shiro安全管理器 SecurityManager shiroFilterFactoryBean.setSecurityManager(securityManager); // 指定要求登录时的链接 shiroFilterFactoryBean.setLoginUrl("/login"); // 登录成功后要跳转的链接 shiroFilterFactoryBean.setSuccessUrl("/index"); // filterChainDefinitions拦截器=map必须用:LinkedHashMap,因为它必须保证有序 Map<String, String> filterChainDefinitionMap = new LinkedHashMap<String, String>(); //对外应用开发接口不验证 filterChainDefinitionMap.put("/app/**", "anon"); filterChainDefinitionMap.put("/ajaxLogin", "anon"); // 放开验证码 filterChainDefinitionMap.put("/public/getGifCode", "anon"); // 退出 filterChainDefinitionMap.put("/logout", "logout"); //TODO 全部放行 // filterChainDefinitionMap.put("/manage/**", "anon[*]"); //公共资源 filterChainDefinitionMap.put("/static/**", "anon"); filterChainDefinitionMap.put("/css/**", "anon"); filterChainDefinitionMap.put("/img/**", "anon"); filterChainDefinitionMap.put("/js/**", "anon"); // authc:所有url都必须认证通过才可以访问; filterChainDefinitionMap.put("/**", "authc"); shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap); log.debug("-----------------Shiro拦截器工厂类注入成功"); return shiroFilterFactoryBean; } @Bean public HashedCredentialsMatcher hashedCredentialsMatcher() { HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher(); hashedCredentialsMatcher.setHashAlgorithmName("MD5");//散列算法:这里使用MD5算法; hashedCredentialsMatcher.setHashIterations(1);//散列的次数,比如散列两次,相当于 md5(md5("")); return hashedCredentialsMatcher; } //权限缓存到内存 @Bean(name = "shiroRealm") @DependsOn("lifecycleBeanPostProcessor") public MyShiroRealm myShiroRealm() { MyShiroRealm myShiroRealm = new MyShiroRealm(); myShiroRealm.setCacheManager(new MemoryConstrainedCacheManager()); myShiroRealm.setCredentialsMatcher(hashedCredentialsMatcher()); return myShiroRealm; } @Bean(name = "securityManager") public SecurityManager securityManager() { DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager(); securityManager.setRealm(myShiroRealm()); // 自定义session管理 使用redis securityManager.setSessionManager(sessionManager()); // 自定义缓存实现 使用redis securityManager.setCacheManager(cacheManager()); return securityManager; } /** * 配置shiro redisManager * @return */ public RedisManager redisManager() { RedisManager redisManager = new RedisManager(); redisManager.setHost(host); redisManager.setPort(port); redisManager.setTimeout(timeout); // redisManager.setPassword(password); redisManager.setDatabase(database); return redisManager; } //自定义sessionManager @Bean public SessionManager sessionManager() { MySessionManager mySessionManager = new MySessionManager(); mySessionManager.setSessionDAO(redisSessionDAO()); //默认1个小时session过期 mySessionManager.setGlobalSessionTimeout(CacheConstants.SHIRO_SESSION_MS); return mySessionManager; } /** * RedisSessionDAO shiro sessionDao层的实现 通过redis */ @Bean public RedisSessionDAO redisSessionDAO() { RedisSessionDAO redisSessionDAO = new RedisSessionDAO(); redisSessionDAO.setRedisManager(redisManager()); return redisSessionDAO; } /** * cacheManager 缓存 redis实现 * @return */ @Bean public RedisCacheManager cacheManager() { RedisCacheManager redisCacheManager = new RedisCacheManager(); redisCacheManager.setRedisManager(redisManager()); redisCacheManager.setExpire(CacheConstants.USER_DATA_TTL); return redisCacheManager; } }
MyShiroRealm.java
package com.jx.cert.web.framework.config.shiro; import java.util.ArrayList; import java.util.List; import org.apache.commons.codec.digest.DigestUtils; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.LockedAccountException; import org.apache.shiro.authc.SimpleAuthenticationInfo; import org.apache.shiro.authc.UnknownAccountException; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import com.jx.cert.web.framework.config.shiro.exception.SysUsreNotLoginAPPException; import com.jx.cert.web.framework.config.shiro.exception.SystemNotExistException; import com.jx.common.utils.SysCode; import com.jx.core.api.model.vo.cert.SysPermission; import com.jx.core.api.model.vo.cert.SysRole; import com.jx.core.api.model.vo.cert.SysSystem; import com.jx.core.api.model.vo.cert.SysUser; import com.jx.core.api.service.business.cert.SysPermissionService; import com.jx.core.api.service.business.cert.SysRoleService; import com.jx.core.api.service.business.cert.SysSystemService; import com.jx.core.api.service.business.cert.SysUserService; public class MyShiroRealm extends AuthorizingRealm { private Logger logger = LoggerFactory.getLogger(MyShiroRealm.class); @Autowired private SysUserService sysUserService; @Autowired private SysRoleService sysRoleService; @Autowired private SysPermissionService sysPermissionService; @Autowired private SysSystemService systemService; @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { logger.info("####################开始配置权限####################"); SysUser user = (SysUser) principals.getPrimaryPrincipal(); if (user != null) { //权限信息对象info,用来存放查出的用户的所有的角色(role)及权限(permission) SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo(); List<String> roleStrlist = new ArrayList<String>();//用户的角色集合 List<String> perminsStrlist = new ArrayList<String>();//用户的菜单权限集合 for (SysRole role : user.getRoleList()) { roleStrlist.add(role.getRoleName()); } for (SysPermission permission : user.getPermissList()) { perminsStrlist.add(permission.getUrl()); } //用户的角色集合 authorizationInfo.addRoles(roleStrlist); //用户的菜单按钮权限集合 authorizationInfo.addStringPermissions(perminsStrlist); return authorizationInfo; } return null; } /*主要是用来进行身份认证的,也就是说验证用户输入的账号和密码是否正确。*/ @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { logger.info("####################身份认证####################"); String userStr = (String) token.getPrincipal(); SysUser user = sysUserService.getUserByUserName(userName); //认证系统用户 List<SysRole> roleList = sysRoleService.findRoleByUserId(user.getUserId(),systemId); user.setRoleList(roleList);//获取用户角色 List<SysPermission> list=sysPermissionService.getUserPermission(user.getUserId(),systemId); SysPermission permis=new SysPermission(); list.add(permis); user.setPermissList(list);//获取用户权限 return new SimpleAuthenticationInfo(user, DigestUtils.md5Hex(user.getPassword()),getName()); } }
ShiroTagsFreeMarkerCfg.java
package com.jx.cert.web.framework.config.shiro; import javax.annotation.PostConstruct; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; import org.springframework.web.servlet.view.freemarker.FreeMarkerConfigurer; import com.jagregory.shiro.freemarker.ShiroTags; import freemarker.template.TemplateModelException; /** * @ClassName: ShiroTagsFreeMarkerCfg * @Description: TODO(ftl shiro 标签) * @author gangyu * @date 2018年12月5日 下午5:16:27 * */ @Component public class ShiroTagsFreeMarkerCfg { @Autowired private FreeMarkerConfigurer freeMarkerConfigurer; @PostConstruct public void setSharedVariable() throws TemplateModelException { freeMarkerConfigurer.getConfiguration().setSharedVariable("shiro", new ShiroTags()); } }
ShiroPermissionsFilter.java
/** * @Title: ShiroPermissionsFilter.java * @Package com.jx.cert.web.config.shiro * @Description: TODO(用一句话描述该文件做什么) * @author gangyu * @date 2018年12月5日 上午11:47:00 * @version V1.0 */ package com.jx.cert.web.framework.config.shiro.filter; import java.io.IOException; import java.io.PrintWriter; import java.util.List; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import com.google.gson.Gson; import com.jx.cert.web.framework.config.shiro.ShiroUtil; import com.jx.common.utils.Result; import com.jx.common.utils.enums.CodeEnum; import com.jx.core.api.model.vo.cert.SysPermission; import com.jx.core.api.model.vo.cert.SysUser; /** * @ClassName: ShiroPermissionsFilter * @Description: TODO(权限验证) * @author gangyu * @date 2018年12月5日 上午11:47:00 */ public class ShiroPermissionsFilter extends PermissionsAuthorizationFilter { private static final Logger logger = LoggerFactory.getLogger(ShiroPermissionsFilter.class); /** * 权限检测验证 */ @Override protected boolean onAccessDenied(ServletRequest servletRequest, ServletResponse servletResponse) throws IOException { logger.info("----------权限校验-------------"); HttpServletRequest request = (HttpServletRequest) servletRequest; HttpServletResponse response = (HttpServletResponse) servletResponse; String reqUrl=request.getRequestURI(); List<SysPermission> permsList=ShiroUtil.getUser().getPermissList(); String contextPath=request.getContextPath(); reqUrl=reqUrl.substring(contextPath.length()+1, reqUrl.length()); String header = request.getHeader("X-Requested-With"); boolean isAjax = "XMLHttpRequest".equals(header); SysUser user=ShiroUtil.getUser(); if(!new Gson().toJson(permsList).contains(reqUrl)){ if (isAjax) { logger.info("----------AJAX请求拒绝-------------"); response.setCharacterEncoding("UTF-8"); response.setContentType("application/json"); response.getWriter().write(new Gson().toJson(new Result(CodeEnum.NOT_PERMISSION))); } else { logger.info("----------普通请求拒绝-------------"); response.sendRedirect(request.getContextPath()+"/403"); } return false; }else { return true; } } }
ShiroUtil.java
package com.jx.cert.web.framework.config.shiro; import org.apache.shiro.SecurityUtils; import org.apache.shiro.session.Session; import org.apache.shiro.subject.Subject; import com.jx.core.api.model.vo.cert.SysUser; public class ShiroUtil { /** * 获取当前 Subject * * @return */ public static Subject getSubject() { return SecurityUtils.getSubject(); } /** * 获取shiro指定的sessionKey * * @param key * @param <T> * @return */ public static <T> T getSessionAttr(String key) { Session session = getSession(); return session != null ? (T) session.getAttribute(key) : null; } /** * 设置shiro指定的sessionKey * * @param key * @param value */ public static void setSessionAttr(String key, Object value) { Session session = getSession(); session.setAttribute(key, value); } /** * 获取当前用户对象 * * @return */ public static SysUser getUser() { if(getSubject().isAuthenticated()){ return (SysUser) getSubject().getPrincipals().getPrimaryPrincipal(); } return null; } /** * 获取当前用户对象UserID * * @return */ public static String getUserId() { return getUser().getUserId(); } /** * 移除shiro指定的sessionKey * * @param key */ public static void removeSessionAttr(String key) { Session session = getSession(); if (session != null) session.removeAttribute(key); } /** * 验证当前用户是否属于该角色 * * @param roleName 角色名称 * @return 属于该角色:true,否则false */ public static boolean hasRole(String roleName) { return getSubject() != null && roleName != null && roleName.length() > 0 && getSubject().hasRole(roleName); } /** * shiro 中获取session * * @return session */ public static Session getSession() { return getSubject().getSession(); } /** * 验证当前用户是否属于以下所有角色 * 多权限“,”分割 * * @param roleNames 权限名称 * @return 属于:true,否则false */ public static boolean hasAllRoles(String roleNames) { boolean hasAllRole = true; Subject subject = getSubject(); if (subject != null && roleNames != null && roleNames.length() > 0) { for (String role : roleNames.split(",")) { if (!subject.hasRole(role.trim())) { hasAllRole = false; break; } } } return hasAllRole; } /** * 验证当前用户是否属于以下任意一个角色 * 多权限“,”分割 * @param roleNames * @return */ public static boolean hasAnyRoles(String roleNames) { boolean hasAnyRole = false; Subject subject = getSubject(); if (subject != null && roleNames != null && roleNames.length() > 0) { for (String role : roleNames.split(",")) { if (subject.hasRole(role.trim())) { hasAnyRole = true; break; } } } return hasAnyRole; } }
感谢你能够认真阅读完这篇文章,希望小编分享的“SpringBoot如何配置shiro安全框架”这篇文章对大家有帮助,同时也希望大家多多支持亿速云,关注亿速云行业资讯频道,更多相关知识等着你来学习!
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。